Rig Exploit Kit Rule

We use fireeye in conjunction with SA and we have been seeing a fair share of Rig Exploit kits. So in order to track and find this traffic on SA, there is quite a simple rule that can be written to find the current Rig Exploit Kits that are being used in the wild.

There is a good article by Sans Storm Centre that covers how the Rig Exploit Kits are currently infecting unsuspecting hosts.

Looking at the traffic from that analysis, we can see there are constant elements that make up part of the query in the GET request.

I have taken part of the text that remains constant in the GET request and made a simple rule.

Just create a rule that contains the following.

query contains 'PrfJxzFGMSUb'

This has had a very good success rate, and so far no false positives. I have seen this alert fire several times, and I'm happy with the outcome.